On 12 March 2010 c. 03:23:00 Stuart Henderson wrote:
> On 2010-03-11, Christopher Zimmermann <madro...@zakweb.de> wrote:
> > Hi,
> >
> > my -current firewall is configured to block all in, block all out
> > and allow only certain outbound connections.
> >
> > Now I want to allow outbound ftp connections.
> >
> > I read ftp-proxy(8) and
> > http://openbsd.org/faq/pf/ftp.html#client.
> >
> > As I understand it, ftp-proxy could be used to create rules for
> > inbound and outbound connections on 4.6. Now on -current the rdr
> > keyword is missing from the pf.conf syntax. Instead ftp-proxy(8)
> > suggests using rdr-to, but this only works for inbound
> > connections.
> >
> > Is it possible to allow ftp connections from a local client to
> > public ftp serves on the internet? Possibly by using ftp-proxy?
>
> I suspect your understanding of "inbound" is from the viewpoint
> of your network; PF doesn't care about that at all, it's only
> concerned with whether a packet is inbound or outbound to a
> particular interface.
>
> rdr only works for inbound connections too.
>
> A rule like the following works just fine for a ftp connection
> from a local client to a public ftp server:
>
> pass in quick log on {lan, wifi, natted} inet proto tcp \
> to port 21 rdr-to 127.0.0.1
Well, if "block out all" is set on external interface then ftp-proxy
outgoing connections will be blocked - ftp-proxy(8) does not create PF
rules for connections itself. Something like
pass out on $ext_if from ($ext_if) to port ftp
will workaround this, but I think ftp-proxy(8) should be fixed instead...
--
Best wishes,
Vadim Zhukov
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
